Security

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Threat modeling is a process which far too few developers know about. It is a process that does what the name suggests: It helps you to model all threats to your application. Basically you make a list of threats, but in a structured way, such that you can assess the risks, and decide what to do about them.

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Recently I’ve been doing a lot of work for Data Privacy at TOPdesk. Since May 2018 the GDPR is in effect, so our developers need to be aware of the consequences. Since I’m mostly a security guy, I was wondering about the differences and similarities between Data Security and Data Privacy. Do they have the same goal? Can you use the same approach? Or is there a trade-off?

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

In today’s article, we want to have a closer look at cross-origin resource sharing to see how it can help making your web application a little safer. Or more correctly, help giving you more control over the security of your application.
But before we can dive into talking about CORS, we need to explain the SOP.

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

The HTTP protocol is stateless, meaning that the server is not required to store state information for a conversation. This simplifies the protocol a lot, but there are often situations where keeping state is desired. For example, you don’t want users to send their login credentials with each request. To prevent having to reauthenticate all the time, sessions were invented. Sessions are great because they allow the user to authenticate once, and then stop thinking about it. However, hackers also find them great, because if sessions leak, the hacker doesn’t need to authenticate either to use your account. So, how do we do proper session management and prevent session data from falling into the wrong hands?

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Adding security headers is usually a quick win when improving the security of your web application, but nowadays there’s so many to choose from. Or shouldn’t you choose at all? Why not add all of them? How does this work? We tried to make an overview of which headers improve your security, and what they actually try to achieve for you.

Let’s start at the beginning. The HTTP protocol tells you to specify the HTTP protocol version, add a bunch of headers and optionally include a body for your request/response. The response headers can be thought of as meta data to the response, or as additional instructions for the browser. E.g. it tells the browser which content type the reponse page has, what server handled the request, or how long the requested resource can be cached. Below is an example of an HTTP response. The relevant security headers are marked in red.

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Security experts, penetration testers, developers, administrators, and anyone else who creates or deploys software will often ask the question “Just how closely should I guard the version numbers of software and libraries that I use?”

Today, we are going to look at some answers to that question, and why we might choose one approach over another.

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

It’s been a while ago when I first heard about reverse tabnabbing. Initially I didn’t think much of it, because exploits are not always straightforward. At TOPdesk we fixed any potential issues some time ago, but recently it’s getting more attention. I always applaud it when security topics get more attention, and therefore I’d like to explain here how we approach this at TOPdesk.

“Reverse tabnabbing” you say? What are you talking about? Never heard of this thing. Okay, so apparently it hasn’t gotten enough attention yet. Reverse tabnabbing can easily lead to some nasty phishing attacks. I originally read this article by Mathias Bynens on rel=noopener. It explains (and demonstrates) that if a site has a link to an external domain, and when you click the link, the site on the other domain gets full control over the parent’s window object.

The new recommendations put an end to many of the crappy guidelines that we all hated, like requiring all kinds of special characters in your password, or having to change the password every x weeks. Slowly, people start to understand that these were not very good guidelines as they weren’t very well aligned with human behaviour.

Are you an ambulance driver, and need a password? Try ‘ambulance’. If the system also requires numbers, what about ‘ambulance1’? Special characters? Good chance that you will select ‘ambulance1!’. And next month, when the password needs to be changed, it will be ‘ambulance2!’, and so on. That’s what happens when you try to annoy people with these requirements. It gets ‘less’ secure, instead of ‘more’.

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Imagine the following: You set up your blog a while ago. Everything is running smoothly. You add a few plugins here and there to make managing it easier, and you are using a custom theme so it looks enticing to new visitors.

One day, on a routine check of the comments you received, you decide to investigate one comment a bit more closely since it contains a link. You don’t want to end up supporting spam messages, so you decide to click the link and see what it’s all about.Read more

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Cookies are small packets of data which a server can send to your browser to store some configuration or personal data. The browser automatically sends them along with all requests to that same server. The contents are usually very interesting to hackers, so it’s important to know how to secure these cookies. Fortunately there are a lot of things you can do to improve cookie security. So… what do you need to know?

I started working with Docker at TOPdesk almost a year ago. Security is an interest of mine, so I did some research. You can’t look at Docker without thinking about Microservices, although they are separate topics. It is often said that Microservices can greatly improve your security. But also, that if you do it wrong, security can actually get worse.
So, what do you need to do to improve (Docker) security, rather than get rid of it? For most security concerns there is already a good solution, although not all of them are widely adopted. Let’s have a look at our concerns and how we take care of them.

At TOPdesk security is an important topic. It always has been, but in the last year the way we approach security is changing fast. We think we’re on the right track, and today we’re announcing the next step to help developers enjoy secure development.